The Bizarre Incident Involving Microsoft Exchange Hosted Services

The probable sequence of events starts some time before November 23rd, 2006, when one of the sysadmins at the place where the web server was hosted chooses to do some testing, and creates a user called test1, and chooses a guessable (or at least bruteforceable) password for that user.

Quite predictably, a third party cracks the test1 user's password and on November 22, 2006 installs a PayPal phiskit, which is then spamvertized. Click the link below for a screenshot of what the phising site looked like in a typical browser:

Screenshot of test1's PayPal phishkit

The phishkit was installed under the cracked user's home directory, most likely because that's the only access they got.

Fortunately by the next morning, we received notices of the phishkit from people who have read the spam message, and at about ten AM Norwegian time the phishkit was preserved as evidence and removed. The complaint we filed the next day with the police is as far as I know still in queue for investigation.

Around December 7 or 8, 2006, the data which caused mail to be blocked, or “quarantined” in Microsoft terminology, by Microsoft Exchange Hosted Services' built in filtering entered the system which processes incoming mail for this customer we unfortunately have in common with Microsoft.

Debugging the problem took some days, as described in my initial writeup, and in fact my attempt to send the writeup to several Microsoft addresses bounced with a message to reduce the spamminess of the message I was trying to send.

After a longish and rather information free exchange with various Microsoft people, Microsoft's final answer arrived on January 10, 2006, saying essentially that their system was working correctly and any information about how their system works were off-limits as trade secrets.

This irritated me enough that I contacted various journalists, producing a article which appeared in their web edition on January 12 and in their print edition on January 15.

To my knowledge, Microsoft still considers this to be a case of valid classification.

Unbelievably, this all happened while I was preparing a presentation about malware and spam which I am currently rewriting to fit the format of a paper for the BSDCan conference. After the conference, the paper will be available from the conference site.

Peter N. M. Hansteen
Last modified: Mon Apr 9 22:24:12 CEST 2007